Script Interpreter Connection to Non-Standard Port

Last updated 2 days ago on 2026-02-09

Created 12 days ago on 2026-01-30

About

Detects the execution of a script interpreter followed by an outbound network connection to a raw IP address on a non-standard port. Many initial access scripts and malware implants connect directly to C2 or payload servers using non-standard ports to avoid detection.

Tags

Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Command and ControlTactic: ExecutionData Source: Elastic DefendLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

↳ Non-Standard Port (T1571)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process-*logs-endpoint.events.network-*
Related Integrations: endpoint(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗sequence by process.entity_id with maxspan=1m
  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and 
    (process.name like~ "python*" or process.name in ("node", "ruby")) and 
    process.args_count == 2]
  [network where host.os.type == "macos" and event.type == "start" and 
    (process.name like~ "python*" or process.name in ("node", "ruby")) and 
    destination.domain == null and 
    not destination.port in (443, 80, 53, 22, 25, 587, 465, 8080, 8089, 8200, 9200) and 
    destination.port < 49152 and
    not cidrmatch(destination.ip, "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/4", "198.19.0.0/16", 
                  "192.18.0.0/15", "192.0.0.0/24", "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", 
                  "172.16.0.0/12", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", 
                  "192.168.0.0/16", "192.88.99.0/24", "100.64.0.0/10", "192.175.48.0/24", 
                  "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "::1", "FE80::/10", "FF00::/8")]

Install detection rules in Elastic Security

Detect Script Interpreter Connection to Non-Standard Port in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).